CybersecurityMay 3, 2026Serdar9 min read

Certificate Management: Automating SSL/TLS Renewal

Summary: An SME guide to SSL/TLS certificate management, automated renewal strategies, balancing Let's Encrypt with commercial certificates, and certificate hygiene.

Summary: Modern SSL/TLS certificate lifetimes range from 90 to 398 days — a pace that cannot be handled manually. Automated renewal (with tools like Let's Encrypt + ACME, certbot, acme.sh, or cert-manager) has become baseline hygiene — when a certificate expires, the site falls over, email delivery stops, and the customer's browser shows an "insecure" warning. The practical rule at SME scale: Let's Encrypt + automation for external assets, commercial certificates + inventory for critical corporate assets, your own CA for internal systems. When all three are managed maturely together, you stop having certificate crises.

In an SME, the customer portal goes down on a Friday at 17:30. Browsers throw "ERR_CERT_DATE_INVALID." The reason: the certificate expired at 17:00 and no one was tracking it. By Monday morning, 60 hours of serious impact: lost customers, an overloaded help desk, broken email integrations, payments that cannot be processed. A manual certificate calendar is no longer a method you can rely on.

In this article we cover SSL/TLS certificate management at SME scale, automated renewal strategies, and the choice between certificate types. The audience is IT leads, sysadmins, and decision-makers who never want to live through another certificate crisis.

What Is a TLS Certificate, and Why Is Renewal Such a Pain?

A TLS certificate is a digital document that verifies the identity of a domain and enables encrypted communication. When a browser opens an HTTPS page, it inspects the certificate.

Certificate Lifetimes Keep Shrinking

The historical arc:

2010s: 1,095 days (3 years)
2018: 825 days
2020: 398 days (Apple/Mozilla browser policy)
2024+: The 90-day direction is getting stronger (Apple, Let's Encrypt are already at 90)

As lifetimes shrink, manual management becomes impossible — automation is mandatory.

Impact of an Expired Certificate

System	Impact
Website (HTTPS)	"Your connection is not private" warning — users bounce
API endpoint	Dependent applications cannot connect
Email (SMTPS, IMAPS)	Mail traffic can halt
VPN	Users cannot connect
MQTT/IoT	Devices cannot send data
Active Directory services	LDAPS, RDP NLA break
Mobile apps (cert pinning)	The app cannot connect at all

Certificate Authorities and Types

Let's Encrypt — Free and Automated

ACME protocol
90-day lifetime, designed for automated renewal
Wildcard support (via DNS-01 challenge)
De facto standard for SME websites

Other Free CAs

ZeroSSL
Buypass Go
Google Trust Services (partial free tier)

Commercial CAs

DigiCert, Sectigo, GlobalSign, Entrust
1-2 year lifetime (trending shorter)
EV (Extended Validation) certificate option
Warranty, broader support for older browser versions
Enterprise customer support

Certificate Types

Type	Description	Use
DV (Domain Validated)	Only the domain ownership is verified	Standard websites
OV (Organization Validated)	Organization details are verified	Sites showcasing corporate identity
EV (Extended Validation)	Strictest verification — used to show a green company name in the URL bar	Banks, finance (visible effect has faded)
Wildcard	*.firma.com.tr — covers all subdomains	Multiple subdomains
SAN (Multi-domain)	Multiple domains in a single certificate	Mixed-domain use

Automated Renewal — Let's Encrypt + ACME

Let's Encrypt runs on the ACME (Automated Certificate Management Environment) protocol.

A Typical Setup Flow

An ACME client on the server (certbot, acme.sh, lego)
Domain ownership validation (HTTP-01 or DNS-01 challenge)
The certificate is issued
The web server (Nginx, Apache) is reloaded
cron or systemd timer reruns it every 60 days

HTTP-01 vs DNS-01 Challenge

Method	How It Works	Advantage	Disadvantage
HTTP-01	A file under /.well-known/acme-challenge/	Simple, port 80 is enough	Cannot do wildcard, needs port 80
DNS-01	An _acme-challenge TXT record	Supports wildcards, no port required	Needs DNS API access
TLS-ALPN-01	Inside the TLS handshake	Port 443 is enough	Incompatible with some CDNs

For SMEs: HTTP-01 for a single domain, DNS-01 for wildcards or multiple domains.

Popular ACME Clients

certbot (Python) — Official, from the EFF, the most widely used
acme.sh (shell) — Lightweight, dependency-free, widest DNS provider support
lego (Go) — Single binary, multi-DNS-provider
Caddy — A web server with automatic HTTPS (certificate handling stays hidden)
Traefik — Modern reverse proxy + automatic TLS
nginx-proxy-manager — UI-based management, easy for SMEs

Caddy — "Zero-Config" HTTPS for the Office

Caddy is a modern web server whose certificate issuance/renewal is fully automatic. Drop the domain name into the configuration file and Caddy handles the rest. Ideal for small SME web services.

Certificate Inventory — Who Owns What?

Automation alone is not enough; you also need to know what exists.

A Typical SME Certificate Inventory

System	Domain/IP	Type	Provider	Expiry
Website	firma.com.tr	DV wildcard	Let's Encrypt	Automatic
API	api.firma.com.tr	DV	Let's Encrypt	Automatic
Customer portal	musteri.firma.com.tr	OV	DigiCert	2026-12
VPN	vpn.firma.com.tr	DV	Let's Encrypt	Automatic
Mail server	mail.firma.com.tr	DV	Let's Encrypt	Automatic
Internal AD CA	*.local.firma	Self-signed	In-house CA	5 years

Inventory Management Tools

Open source: Cert-manager (Kubernetes), DTracker, Posh-ACME (PowerShell)
Commercial: Venafi, Keyfactor, Sectigo Certificate Manager
Cloud: Azure Key Vault, AWS Certificate Manager, GCP Certificate Manager

For SMEs, even an Excel sheet or a Notion page is enough to start — what matters is keeping a list.

Visibility via Certificate Transparency (CT) Logs

All issued TLS certificates are written into Certificate Transparency logs — publicly accessible.

Benefits

You can monitor every certificate issued for your organization
You notice attempts to obtain a forged certificate
You discover forgotten subdomains (linked to the earlier ASM article)

Tools

crt.sh — public interface
censys.io — advanced search
Google Cert Search
CertSpotter (automated alert service)

Automated Alerts

Services like CertSpotter or Sectigo CT Monitor send an automatic alert when a new certificate is issued for a domain you own. Practical for detecting forged certificates and discovering forgotten subdomains.

Certificate Pinning — Extra Security

Certificate pinning is used in mobile apps and critical clients: the app only accepts specific certificates.

Advantage

Resilient to MitM (Man-in-the-Middle) attacks
The app is protected even if a CA is compromised

Disadvantage

When the certificate changes, every client falls out of sync
Renewals turn into a chain operation
If managed incorrectly, your app stops working

For SMEs: only use pinning when high security is required. "Public key pinning (HPKP)" has been largely abandoned in browsers; it is still used in mobile apps.

Internal CA — In-House Certificates

Some scenarios cannot be solved by Let's Encrypt or commercial CAs:

Internal hostnames (*.local.firma)
Certificates for IP addresses
Dev/staging environments
IoT devices, MQTT brokers

The solution: run your own CA.

Microsoft AD Certificate Services

Run an internal CA inside an Active Directory environment. All domain-joined devices automatically trust this CA. Internal certificates are issued with 2-5 year lifetimes.

The Open-Source Path — step-ca

Smallstep step-ca is a modern private CA. ACME support, shared configuration, easy install. Ideal for internal automation.

Self-Signed Certificates

The simplest option, but you have to manually trust them on every device. For temporary development/testing only.

Common Certificate Mistakes

Frequent missteps in SMEs:

The renewal cron is broken and nobody noticed — the certificate expires
HTTPS is fetched on 443, not 80 — HTTP-01 cannot work as long as port 443 is closed
The DNS provider API key is stale/revoked — the wildcard DNS-01 cannot be renewed
The same certificate is manually copied to multiple places — one location is renewed while another lags
OCSP stapling is not configured — performance loss, privacy leakage
TLS 1.0/1.1 still enabled — outdated security
Weak cipher suites — legacy algorithms still active
Missing Subject Alternative Name (SAN) — the main domain works but www. does not

Certificate Health Checks

Tests you should run regularly:

SSL Labs Server Test (ssllabs.com) — target an A+
testssl.sh — command line, detailed
Mozilla Observatory — broad web security
Nmap NSE scripts — nmap --script ssl-enum-ciphers

Run these on all external assets quarterly or at minimum annually.

What Yamanlar Bilişim Offers

Our SME-scale certificate management support areas:

Extracting the current certificate inventory
Let's Encrypt + automation setup (certbot, acme.sh, Caddy)
DNS-01 configuration for wildcard certificates
Commercial certificate selection and management
Microsoft AD CS or step-ca deployment
CT log monitoring integration
TLS health audits (SSL Labs, testssl.sh)
Annual certificate-hygiene report

Frequently Asked Questions

Conclusion

SSL/TLS certificate management is no longer a "handled once a year" chore. 90-day lifetimes, the ubiquity of Let's Encrypt, and modern web infrastructure that demands TLS everywhere have made automation hygiene one of the core SME disciplines. When set up correctly, certificates renew themselves in the background, certificate crises end, and the IT team focuses on more valuable work.

At Yamanlar Bilişim, we deliver certificate automation, inventory management, and annual hygiene audits sized to your environment — turning your certificates from a "Friday-evening surprise" into a regular, invisible part of your infrastructure.

Frequently Asked Questions

Is Let's Encrypt enough for an SME, or should we buy commercial certificates?

For most SME web assets, Let's Encrypt is more than enough . At the DV level it is free, automated, and broadly supported in browsers. Commercial certificates are only necessary when: showing an OV/EV badge is a marketing advantage (banking, finance), a warranty is required, very old browser support is needed, or the enterprise customer specifically demands a commercial cert. Outside those cases, Let's Encrypt is enough is usually the right answer.

90 days is short — is there no way to get a longer cert?

The trend is in the other direction. 398-day certificates can still be bought (from commercial CAs like DigiCert and Sectigo), but Apple and Mozilla are signaling a move toward 47-day lifetimes. Automation is permanent — the right plan is to manage certificates automatically rather than chasing longer durations.

Should I use certbot or acme.sh?

Both are good. certbot is Python-based, the EFF's official client, with the widest documentation; it pulls in dependencies for certain use cases. acme.sh is shell-based, dependency-free, and supports the widest list of DNS providers. In SME environments, acme.sh often comes out as more flexible and lightweight; certbot is the default in the Ubuntu/Debian ecosystem.

Are wildcard certificates a security risk?

Because a single wildcard certificate covers all subdomains, if its private key is leaked every subdomain is compromised . That is why some organizations prefer separate SAN certs over wildcards. From an automation standpoint, however, wildcard is practical for SMEs; with strong private-key protection (HSM, strict access), the risk is manageable.

Why does OCSP stapling matter?

OCSP (Online Certificate Status Protocol) checks whether a certificate has been revoked. Without stapling, the browser queries the CA on every connection — both a performance and privacy problem. With stapling, the server fetches the response in advance and sends it to the browser. Stapling is required for an SSL Labs A+ score.

How many days before expiry should I get an alert?

With automation: 7 days (the renewal already happens on day 60, the 7-day alert is insurance). With manual management: 30 days first warning + 14-day reminder + 7-day urgent. Automate this in your monitoring system, not Excel (e.g., Uptime Kuma certificate check, Pingdom, Datadog).